Abstract: Conventional email filtering services are not suitable for recognizing sophisticated malicious emails, and therefore may allow sophisticated malicious emails to reach inboxes by mistake. Introduced here are threat detection platforms designed to take an integrative approach to detecting security threats. For example, after receiving input indicative of an approval from an individual to access past email received by employees of an enterprise, a threat detection platform can download past emails to build a machine learning (ML) model that understands the norms of communication with internal contacts (e.g., other employees) and/or external contacts (e.g., vendors). By applying the ML model to incoming email, the threat detection platform can identify security threats in real time in a targeted manner.

Abstract: Introduced here is a network-accessible platform (or simply “platform”) that is designed to monitor digital activities that are performed across different services to ascertain, in real time, threats to the security of an enterprise. In order to surface insights into the threats posed to an enterprise, the platform can apply machine learning models to data that is representative of digital activities performed on different services with respective accounts. Each model may be trained to understand what constitutes normal behavior for a corresponding employee with respect to a single service or multiple services. Not only can these models be autonomously trained for the employees of the enterprise, but they can also be autonomously applied to detect, characterize, and catalog those digital activities that are indicative of a threat.

Abstract: Introduced here is a network-accessible platform (or simply “platform”) that is designed to monitor digital activities that are performed across different services to ascertain, in real time, threats to the security of an enterprise. In order to surface insights into the threats posed to an enterprise, the platform can apply machine learning models to data that is representative of digital activities performed on different services with respective accounts. Each model may be trained to understand what constitutes normal behavior for a corresponding employee with respect to a single service or multiple services. Not only can these models be autonomously trained for the employees of the enterprise, but they can also be autonomously applied to detect, characterize, and catalog those digital activities that are indicative of a threat.

Abstract: Introduced here is a network-accessible platform (or simply “platform”) that is designed to monitor digital activities that are performed across different services to ascertain, in real time, threats to the security of an enterprise. In order to surface insights into the threats posed to an enterprise, the platform can apply machine learning models to data that is representative of digital activities performed on different services with respective accounts. Each model may be trained to understand what constitutes normal behavior for a corresponding employee with respect to a single service or multiple services. Not only can these models be autonomously trained for the employees of the enterprise, but they can also be autonomously applied to detect, characterize, and catalog those digital activities that are indicative of a threat.

Abstract: Introduced here is a network-accessible platform (or simply “platform”) that is designed to monitor digital activities that are performed across different services to ascertain, in real time, threats to the security of an enterprise. In order to surface insights into the threats posed to an enterprise, the platform can apply machine learning models to data that is representative of digital activities performed on different services with respective accounts. Each model may be trained to understand what constitutes normal behavior for a corresponding employee with respect to a single service or multiple services. Not only can these models be autonomously trained for the employees of the enterprise, but they can also be autonomously applied to detect, characterize, and catalog those digital activities that are indicative of a threat.

Abstract: Access to emails delivered to an employee of an enterprise is received. An incoming email addressed to the employee is acquired. A primary attribute is extracted from the incoming email by parsing at least one of: (1) content of the incoming email or (2) metadata associated with the incoming email. It is determined whether the incoming email deviates from past email activity, at least in part by determining, as a secondary attribute, a mismatch between a previous value for the primary attribute and a current value for the primary attribute, using a communication profile associated with the employee, and providing a measured deviation to at least one machine learning model.

Abstract: It is determined that a first email is present in a mailbox where emails deemed suspicious are placed for analysis. In response to determining that the first email is present in the mailbox, it is determined whether the first email is representative of a threat to an enterprise based at least in part by applying a trained model to the first email. In response to determining that the first email represents a threat to the enterprise, a record of the threat is generated by populating a data structure with information related to the first email. The data structure is applied to inboxes of a plurality of the employees to determine whether the first email is part of a campaign. In response to determining that the first email is part of a campaign, a filter associated with the data structure is applied to inbound emails addressed to employees of the enterprise.

Abstract: A message addressed to a user is received. A first model is applied to the message to produce a first output indicative of whether the message is representative of a non-malicious message. The first model is trained using past messages that have been verified as non-malicious messages. It is determined, based on the first output, that the message is potentially a malicious message. Responsive to determining that the message is potentially a malicious email based on the first output, apply a second model to the message to produce a second output indicative of whether the message is representative of a given type of attack. The second model is one of a plurality of models. At least one model included in the plurality of models is associated with characterizing a goal of the malicious message. An action is performed with respect to the message based on the second output.

Abstract: Conventional email filtering services are not suitable for recognizing sophisticated malicious emails, and therefore may allow sophisticated malicious emails to reach inboxes by mistake. Introduced here are threat detection platforms designed to take an integrative approach to detecting security threats. For example, after receiving input indicative of an approval from an individual to access past email received by employees of an enterprise, a threat detection platform can download past emails to build a machine learning (ML) model that understands the norms of communication with internal contacts (e.g., other employees) and/or external contacts (e.g., vendors). By applying the ML model to incoming email, the threat detection platform can identify security threats in real time in a targeted manner.

Abstract: Introduced here are computer programs and computer-implemented techniques for discovering malicious emails and then remediating the threat posed by those malicious emails in an automated manner. A threat detection platform may monitor a mailbox to which employees of an enterprise are able to forward emails deemed to be suspicious for analysis. This mailbox may be referred to as an “abuse mailbox” or “phishing mailbox.” The threat detection platform can examine emails contained in the abuse mailbox and then determine whether any of those emails represent threats to the security of the enterprise. For example, the threat detection platform may classify each email contained in the abuse mailbox as being malicious or non-malicious. Thereafter, the threat detection platform may determine what remediation actions, if any, are appropriate for addressing the threat posed by those emails determined to be malicious.

Abstract: Conventional email filtering services are not suitable for recognizing sophisticated malicious emails, and therefore may allow sophisticated malicious emails to reach inboxes by mistake. Introduced here are threat detection platforms designed to take an integrative approach to detecting security threats. For example, after receiving input indicative of an approval from an individual to access past email received by employees of an enterprise, a threat detection platform can download past emails to build a machine learning (ML) model that understands the norms of communication with internal contacts (e.g., other employees) and/or external contacts (e.g., vendors). By applying the ML model to incoming email, the threat detection platform can identify security threats in real time in a targeted manner.

Abstract: Introduced here are computer programs and computer-implemented techniques for building, training, or otherwise developing models of the behavior of employees across more than one channel used for communication. These models can be stored in profiles that are associated with the employees. At a high level, these profiles allow behavior to be monitored across multiple channels so that deviations can be detected and then examined. Moreover, remediation may be performed if an account is determined to be compromised based on its recent activity.

Abstract: Conventional email filtering services are not suitable for recognizing sophisticated malicious emails, and therefore may allow sophisticated malicious emails to reach inboxes by mistake. Introduced here are threat detection platforms designed to take an integrative approach to detecting security threats. For example, after receiving input indicative of an approval from an individual to access past email received by employees of an enterprise, a threat detection platform can download past emails to build a machine learning (ML) model that understands the norms of communication with internal contacts (e.g., other employees) and/or external contacts (e.g., vendors). By applying the ML model to incoming email, the threat detection platform can identify security threats in real time in a targeted manner.

Abstract: Techniques for identifying and processing graymail are disclosed. An electronic message store is accessed. A determination is made that a first message included in the electronic message store represents graymail, including by accessing a profile associated with an addressee of the first message. A remedial action is taken in response to determining that the first message represents graymail.

Abstract: Techniques for building, training, or otherwise developing models of the behavior of employees across more than one channel used for communication are disclosed. These models can be stored in profiles that are associated with the employees. Such profiles allow behavior to be monitored across multiple channels so that deviations can be detected and then examined. Remediation can be performed if an account is determined to be compromised based on its recent activity.

Abstract: Conventional email filtering services are not suitable for recognizing sophisticated malicious emails, and therefore may allow sophisticated malicious emails to reach inboxes by mistake. Introduced here are threat detection platforms designed to take an integrative approach to detecting security threats. For example, after receiving input indicative of an approval from an individual to access past email received by employees of an enterprise, a threat detection platform can download past emails to build a machine learning (ML) model that understands the norms of communication with internal contacts (e.g., other employees) and/or external contacts (e.g., vendors). By applying the ML model to incoming email, the threat detection platform can identify security threats in real time in a targeted manner.

Abstract: Techniques for identifying and processing graymail are disclosed. An electronic message store is accessed. A determination is made that a first message included in the electronic message store represents graymail, including by accessing a profile associated with an addressee of the first message. A remedial action is taken in response to determining that the first message represents graymail.

Abstract: Techniques for building, training, or otherwise developing models of the behavior of employees across more than one channel used for communication are disclosed. These models can be stored in profiles that are associated with the employees. Such profiles allow behavior to be monitored across multiple channels so that deviations can be detected and then examined. Remediation can be performed if an account is determined to be compromised based on its recent activity.

Abstract: Conventional email filtering services are not suitable for recognizing sophisticated malicious emails, and therefore may allow sophisticated malicious emails to reach inboxes by mistake. Introduced here are threat detection platforms designed to take an integrative approach to detecting security threats. For example, after receiving input indicative of an approval from an individual to access past email received by employees of an enterprise, a threat detection platform can download past emails to build a machine learning (ML) model that understands the norms of communication with internal contacts (e.g., other employees) and/or external contacts (e.g., vendors). By applying the ML model to incoming email, the threat detection platform can identify security threats in real time in a targeted manner.

Abstract: Conventional email filtering services are not suitable for recognizing sophisticated malicious emails, and therefore may allow sophisticated malicious emails to reach inboxes by mistake. Introduced here are threat detection platforms designed to take an integrative approach to detecting security threats. For example, after receiving input indicative of an approval from an individual to access past email received by employees of an enterprise, a threat detection platform can download past emails to build a machine learning (ML) model that understands the norms of communication with internal contacts (e.g., other employees) and/or external contacts (e.g., vendors). By applying the ML model to incoming email, the threat detection platform can identify security threats in real time in a targeted manner.